Vault
monitor
Stream Vault server logs in real-time to stdout
.
$ vault monitor [flags]
$ vault monitor [-help | -h]
Description
vault monitor
command shows a real time display of the server logs of a Vault
server. This command accepts a log level as an argument, which can be different
from the log level that the Vault server was started with.
vault monitor
honors the VAULT_ADDR
environment variable. The address
specified determines the target server that will be monitored.
Limitations and warnings
Note that this command is designed to run indefinitely. It is similar to
tail -f
in the Unix world. This command will not exit on its own unless it encounters an unexpected error. As a user, you must terminate this process yourself to shut it down.If Vault is emitting log messages faster than a receiver can process them, the some log lines will be dropped.
Related API endpoints
MonitorLogs - GET: /sys/monitor
Command arguments
- None
Command options
- None
Command flags
-log-level (enum : info)
Monitor the Vault server at this log level. Valid log levels are (in order of detail) "trace", "debug", "info", "warn", "error".
Example: -log-level debug
-log-format (string : "standard")
Format to emit logs. Valid formats are "standard", and "json".
Example: -log-format "standard"
Standard flags
[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')
Address of the Vault server.
Examples:
- CLI flag:
-address "https://mydomain/vault:8200"
- Environment variable:
export VAULT_ADDR="https://mydomain/vault:8200"
[-agent-address | VAULT_AGENT_ADDR] (string : "")
Address of the Vault Agent, if used.
Examples:
- CLI flag:
-agent-address "https://mydomain/vault-agent:8200"
- Environment variable:
export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"
[-ca-cert | VAULT_CA_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL
certificates for the server. Takes precedence over -ca_path
.
Examples:
- CLI flag:
-ca-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CA_CERT="/path/to/certs/mycert.pem"
[-ca-path | VAULT_CAPATH] (string : "")
Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.
Examples:
- CLI flag:
-ca-path "/path/to/certs/dir"
- Environment variable:
export VAULT_CAPATH="/path/to/certs/dir"
[-client-cert | VAULT_CLIENT_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used for TLS
communication with the server. The specified certificate must match to the
private key specified with -client-cert
.
Examples:
- CLI flag:
-client-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"
[-client-key | VAULT_CLIENT_KEY] (string : "")
Path to a PEM-encoded private key that matches the client certificate set with
-client-cert
.
Examples:
- CLI flag:
-client-key "/path/to/keys/myprivatekey.pem"
- Environment variable:
export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"
[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)
Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.
Examples:
- CLI flag:
-disable-redirects
- Environment variable:
export VAULT_DISABLE_REDIRECTS=1
Warning
Disabling the default redirect behavior may cause commands that redirect
requests to primary cluster notes (like vault operator raft snapshot
) to
misbehave.
[-format | VAULT_FORMAT] (enum: json)
Set the CLI output format.
Value | Description |
---|---|
table | Structure the response as a table |
json | Structure the response as JSON data |
yaml | Structure the response as YAML data |
jsonx | Structure information as XML data |
Examples:
- CLI flag:
-format table
- Environment variable:
export VAULT_FORMAT=table
-header (string : "")
Optional HTTP header in the form "<key>=<value>"
for the CLI request. Repeat
the -header
flag as needed with one string per flag. User-defined headers
cannot start with X-Vault-
Example: -header "Cache-Control=max-age=0"
[-mfa | VAULT_MFA] (string : "")
Enterprise
A multi-factor authentication (MFA) credential, in the format
mfa_method_name[:key[=value]]
, that the CLI should use to authenticate to
Vault. The CLI adds MFA credentials to the X-Vault-MFA
header when calling the
underlying API endpoint.
Examples:
- CLI flag:
-mfa "totp:password=12345"
- Environment variable:
export VAULT_MFA="totp:password=12345"
Note
The VAULT_MFA
environment variable only accepts one MFA method specification
and one credential for the specified method. To supply multiple credentials or
MFA methods, use the -mfa
CLI flag and repeat the flag as needed.
[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)
Root namespace for the CLI command. Setting a default namespace allow relative mount paths.
Examples:
- CLI flag:
-namespace "admin"
- Environment variable:
export VAULT_NAMESPACE="admin"
-non-interactive (bool : false)
Prevent the CLI from asking users for input through the terminal.
Example: -non-interactive
-output-curl-string (bool : false)
Print the API call(s) required to execute the CLI command as cURL
strings
then exit without running the command.
Example: -output-curl-string
-output-policy (bool : false)
Print the Vault policy required to execute the CLI command as HCL then exit without running the command.
Example: -output-policy
-policy-override (bool : false)
Overrides any Sentinel policy where enforcement_level
is "soft-mandatory".
Example: -policy-override
[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")
Name of the SNI host for TLS handshake resolution for TLS connections to Vault.
Examples:
- CLI flag:
-tls-server-name "hostname.domain"
- Environment variable:
export VAULT_TLS_SERVER_NAME="hostname.domain"
[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)
Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.
Examples:
- CLI flag:
-tls-skip-verify
- Environment variable:
export VAULT_SKIP_VERIFY=1
-unlock-key (string : <unset>)
Plaintext key that unlocks the underlying API endpoint for a given namespace.
Example: -unlock-key "7oXtdlmvRQ"
[-wrap-ttl | VAULT_WRAP_TTL] (string : "")
Default time-to-live in <number>[s|m|h|d]
format for the Cubbyhole token used
to wrap CLI responses. You must use vault unwrap
to view response data before
the duration expires. Leave wrap_ttl
unset to leave CLI responses unwrapped.
Examples:
- CLI flag:
-wrap-ttl "5m"
- Environment variable:
export VAULT_WRAP_TTL="5m"
Examples
Monitor server logs at the debug
log level:
$ vault monitor -log-level=debug